Submission + - Malicious code discovered in popular xz utils (arstechnica.com)
.
The compression utility, known as xz Utils, introduced the malicious code in versions 5.6.0 and 5.6.1, according to Andres Freund, the developer who discovered it. There are no confirmed reports of those versions being incorporated into any production releases for major Linux distributions, but both Red Hat and Debian reported that recently published beta releases used at least one of the backdoored versions—specifically, in Fedora 40 and Fedora Rawhide and Debian testing, unstable and experimental distributions. Because the backdoor was discovered before the malicious versions of xz Utils were added to production versions of Linux, “it's not really affecting anyone in the real world,” Will Dormann, a senior vulnerability analyst at security firm ANALYGENCE, said in an online interview. “BUT that's only because it was discovered early due to bad actor sloppiness. Had it not been discovered, it would have been catastrophic to the world.”
The really worrying part here is that the developer clearly did it on purpose, and he has been on this project for a solid two years. This raises all sorts of questions about the security of Linux in general. How many other 'deep cover' operatives might be planning or actually in the process of inserting malicious code into the Gnu/Linux code base?